cryptostorm's community forum

Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is

You mean DNS leaks? That's likely because people didn't set things up properly. If you either use the most current version of the CS client, or if you use OpenVPN with the disable-outside-DNS argument, there are absolutely no DNS leaks with CS. I've done extensive testing with both clients.

What are you taking about? I'm not teaching someone here, I'm saying that the SOURCE of that DNS leak test must be comprised of idiots if they couldn't figure out how to configure cryptostorm without having a DNS leak. I'm not speaking to the OP here. I'm addressing the acumen of vpntesting.info

For an entity that is making themselves out as some kind of "authority" on which sites have DNS leaks and which don't, they obviously don't know the basics of how to configure things for their tests.

The above image was for Windows 7 VPN clients. I forgot to embed the image for the Mac OS X VPN clients, so here it is:

The test was sponsored by IVPN, which was the only VPN service that passed both the Windows 7 leakage test and the Mac OS X leakage test, so how unbiased the test was can be questioned. Though, I have heard that IVPN are quite good security-wise, so it wouldn't suprise me if the test is genuine.

Khariz wrote:It only fails if you don't know how to configure it correctly. Those people are idiots.

It is for windows users. Download the client. Run it. Both DNS leaks and WebRTC are plugged up by the client. You would have to manually go mucking around with your TAP adapter's DNS settings after connecting with the CS client if you wanted to create a DNS leak.

For us power users and people insisting on using OpenVPN (paranoid "only open source" software type people) they should know how to add "block-outside-DNS" to a .ovpn file.

I wrote an entire guide to using CS via iOS without the need of any outside platform as an aid. There are no DNS or WebRTC issues on iOS by default though.

I mean, and I'm being completely serious here, it's harder to experience a DNS leak with CS than to NOT experience one. The only way they could have experienced one is if they downloaded a stock .ovpn file from the Github and ran it through OpenVPN without adding in the block-outside-DNS argument.

Now that I think about it, that's probably exactly what they did. They probably performed their tests using CryptoFree and default .ovpn files. No wonder they got such crappy results.

Not sure if this is relevant, but I think it's worth mentioning either way: some time ago I noticed that the England node can leak one's location in rare circumstances (happened to me when visiting UserBenchmark and Top Ten Reviews), which is odd, considering that all those leak-test websites do not report anything suspicious. I brought this up in the cs IRC channel, but everyone just kept shrugging. Decided to check out the England node once again after seeing this thread - still seems leaky.

To your .ovpn files, you need to do that. Otherwise OpenVPN isn't necessarily sending ALL DNS requests through the tunnel.

Also, in case anyone is wondering "why isn't that command just added in there by CryptoStorm?" Here is the answer: the command is not compatible with certain versions of Windows, nor other operating systems. I think the newest versions of the beta OpenVPN will ignore the command it if doesn't apply to the operating system, but most people aren't using that version.

If you use Windows 7, 8, or 10, you really need to add this command to your ovpn files.

I believe you, but it literally doesn't make any sense. If the client is blocking all DNS requests from being made anywhere but the tunnel's set DNS server, a failure would result in a failed lookup, not a leak. Even if the the England node's DNS were malfunctioning, it wouldn't attempt to use DNS servers that weren't set as an alternate in your TAP adapter.

I suggest this: connect to the England node and then manually open the settings on your TAP adapter and see if you have a secondary DNS server set. Or open up a command prompt and do a ipconfig /all and see if your tap adapter is reporting multiple DNS servers set. It should only have the internal 10.x.x.x server set.

Ahh, okay. He was interrupting the links to test for leaks during disconnects and interruptions.

As CryptoStorm doesn't have any kind of "Network Lock" feature, that easily explains why he experienced DNS links. He was intentionally trying to create them and succeeded.

The 6 that passed his test all have competent firewall-rule-based network locks that cause your entire internet-facing network to 100% fail when the connection is not tunneling out of the TAP adapter.

I now believe that the test results are accurate, but CS has never made any claims to the contrary. You won't find CS saying "you won't leak your ISP's DNS if you disconnect from our network". Of course the CS client or OpenVPN leak DNS in the event of the crash. Neither have Network Lock features.

Are you saying that cryptostorm doesn't have an Internet killswitch? Isn't that a basic feature that most VPNs have? If a user were to download something via BitTorrent and leave his/her computer on overnight, cryptostorm would happen to disconnect and pirate hunters/copyright nazis would happen to monitor one or several of the torrents the user is downloading, then the user is screwed.

It doesn't seem to be a DNS-related issue, as I don't even use any DNS servers located in my country. Most likely an IP-address leak of sorts. Oddly enough, it happens only when visiting a certain couple of sites via a certain exit node.

UPDATE: I finally decided to give the cs widget (3.0.0.56) a try, and... still the same thing with the England node. I have no bloody idea what's going on.

Anonymous poster wrote:Are you saying that cryptostorm doesn't have an Internet killswitch? Isn't that a basic feature that most VPNs have? If a user were to download something via BitTorrent and leave his/her computer on overnight, cryptostorm would happen to disconnect and pirate hunters/copyright nazis would happen to monitor one or several of the torrents the user is downloading, then the user is screwed.

That's correct. With CS, if you get disconnected while downloading, you are "screwed", unless you are savvy enough to know how to build your own network lock via firewall rules (which most people are admitted not). Hell, I'm pretty much too lazy to bother with that even though I know how. I like the software to do it for me.

PJ has expressed his opinion in the past that nobody has a truly functioning Network Lock and that everyone is lying to us, and that's why CS doesn't need one (but he is wrong, as a good handful of VPN providers now have truly good network lock functionality based both on windows firewall and WFP policy rules). I'll give him this though, there are just as many VPN providers with crappy network locks that don't work as advertised. But some, like AirVPN and IVPN as examples, truly functions like they are supposed to, completely killing your network if you get disconnected.

So yeah, if disconnection-based leakage is a concern of yours, you definitely want to look elsewhere for now.

Why not just take a peek under AirVPN's hood if cryptostorm can't figure out how to make a functional Internet killswitch themselves? But yeah, looks like IVPN or maybe AirVPN is the best option at the moment. Too bad, in every other regard cryptostorm seems like a great VPN service.